@socketsecurity/lib 6.0.7 → 6.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +42 -0
- package/README.md +1 -1
- package/dist/ai/agent-context.d.mts +103 -0
- package/dist/ai/agent-context.js +157 -0
- package/dist/ai/backends.d.mts +83 -0
- package/dist/ai/backends.js +173 -0
- package/dist/ai/credentials.d.mts +49 -0
- package/dist/ai/credentials.js +82 -0
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +1 -1
- package/dist/ai/exec.d.mts +52 -0
- package/dist/ai/exec.js +92 -0
- package/dist/ai/http.d.mts +132 -0
- package/dist/ai/http.js +130 -0
- package/dist/ai/profiles.d.mts +41 -6
- package/dist/ai/profiles.js +52 -10
- package/dist/ai/route.d.mts +82 -0
- package/dist/ai/route.js +171 -0
- package/dist/ai/spawn.d.mts +42 -2
- package/dist/ai/spawn.js +146 -33
- package/dist/ai/subagent-status.d.mts +48 -0
- package/dist/ai/subagent-status.js +57 -0
- package/dist/ai/tier.d.mts +60 -0
- package/dist/ai/tier.js +53 -0
- package/dist/ai/types.d.mts +25 -2
- package/dist/ai/worktree.js +4 -0
- package/dist/archives/tar.js +1 -1
- package/dist/archives/zip.js +2 -2
- package/dist/argv/parse.d.ts +19 -2
- package/dist/argv/parse.js +1 -1
- package/dist/arrays/join.js +4 -0
- package/dist/bin/find.js +4 -4
- package/dist/bin/prim.cjs +23322 -18018
- package/dist/bin/resolve.js +2 -2
- package/dist/cache/ttl/store.js +2 -2
- package/dist/cli/check-primordials.d.ts +8 -3
- package/dist/cli/check-primordials.js +4 -4
- package/dist/compression/_internal.js +1 -1
- package/dist/compression/brotli.d.ts +1 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.js +5 -1
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/packages.d.ts +3 -0
- package/dist/constants/packages.js +2 -1
- package/dist/constants/socket.d.ts +2 -6
- package/dist/constants/socket.js +12 -14
- package/dist/cover/code.js +2 -2
- package/dist/crypto/hash.d.ts +4 -1
- package/dist/crypto/hash.js +4 -1
- package/dist/dlx/arborist.js +13 -3
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +1 -1
- package/dist/dlx/detect.d.ts +8 -0
- package/dist/dlx/firewall.d.ts +8 -0
- package/dist/dlx/lockfile.js +5 -2
- package/dist/dlx/manifest.js +1 -1
- package/dist/dlx/package.js +4 -0
- package/dist/eco/cargo/parse-lockfile.d.ts +1 -2
- package/dist/eco/cargo/parse-lockfile.js +3 -3
- package/dist/eco/manifest/detect-format.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.d.ts +3 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -2
- package/dist/eco/npm/parse-package-json.d.ts +11 -0
- package/dist/eco/npm/parse-package-json.js +1 -1
- package/dist/eco/npm/pnpm/parse-lockfile.d.ts +5 -3
- package/dist/eco/npm/pnpm/parse-lockfile.js +3 -3
- package/dist/eco/npm/yarnpkg/yarn/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.d.ts +1 -2
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +2 -2
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +6 -3
- package/dist/env/rewire.js +7 -8
- package/dist/env/socket.d.ts +7 -0
- package/dist/env/socket.js +10 -0
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.js +1 -1
- package/dist/errors/stack.js +1 -2
- package/dist/external/@npmcli/package-json.js +3455 -4881
- package/dist/external/@npmcli/promise-spawn.js +3 -1
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/external-pack.js +1 -1
- package/dist/external/npm-pack.js +29164 -31799
- package/dist/external/pico-pack.js +4 -2
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/which.js +3 -1
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/asset-names.js +5 -2
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.js +5 -2
- package/dist/external-tools/bazel/resolve-bazel-version.js +4 -0
- package/dist/external-tools/bazel/resolve.d.ts +3 -3
- package/dist/external-tools/bazel/resolve.js +16 -8
- package/dist/external-tools/cdxgen/asset-names.d.ts +1 -1
- package/dist/external-tools/cdxgen/asset-names.js +5 -2
- package/dist/external-tools/cdxgen/from-download.d.ts +1 -1
- package/dist/external-tools/cdxgen/from-download.js +7 -4
- package/dist/external-tools/cdxgen/resolve.d.ts +3 -3
- package/dist/external-tools/cdxgen/resolve.js +16 -8
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +11 -5
- package/dist/external-tools/from-pip-venv.d.ts +1 -1
- package/dist/external-tools/from-pip-venv.js +12 -5
- package/dist/external-tools/janus/asset-names.d.ts +1 -1
- package/dist/external-tools/janus/asset-names.js +5 -2
- package/dist/external-tools/janus/from-download.d.ts +1 -1
- package/dist/external-tools/janus/from-download.js +5 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -3
- package/dist/external-tools/janus/resolve.js +16 -8
- package/dist/external-tools/jre/asset-names.d.ts +1 -1
- package/dist/external-tools/jre/asset-names.js +5 -2
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/jre/from-download.js +7 -4
- package/dist/external-tools/jre/from-java-home.js +2 -2
- package/dist/external-tools/jre/from-vfs.js +2 -2
- package/dist/external-tools/jre/resolve.d.ts +3 -3
- package/dist/external-tools/jre/resolve.js +16 -8
- package/dist/external-tools/manifest.d.ts +18 -0
- package/dist/external-tools/manifest.js +2 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/asset-names.js +5 -2
- package/dist/external-tools/opengrep/from-download.d.ts +1 -1
- package/dist/external-tools/opengrep/from-download.js +5 -2
- package/dist/external-tools/opengrep/resolve.d.ts +3 -3
- package/dist/external-tools/opengrep/resolve.js +16 -8
- package/dist/external-tools/python/asset-names.d.ts +1 -1
- package/dist/external-tools/python/asset-names.js +11 -4
- package/dist/external-tools/python/dlx.d.ts +3 -3
- package/dist/external-tools/python/dlx.js +20 -9
- package/dist/external-tools/python/from-download.d.ts +1 -1
- package/dist/external-tools/python/from-download.js +12 -5
- package/dist/external-tools/python/pin.js +6 -3
- package/dist/external-tools/python/pip-install.js +6 -3
- package/dist/external-tools/python/resolve.d.ts +3 -3
- package/dist/external-tools/python/resolve.js +19 -11
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/asset-names.d.ts +1 -1
- package/dist/external-tools/sbt/asset-names.js +5 -2
- package/dist/external-tools/sbt/from-download.d.ts +1 -1
- package/dist/external-tools/sbt/from-download.js +5 -2
- package/dist/external-tools/sbt/resolve.d.ts +3 -3
- package/dist/external-tools/sbt/resolve.js +16 -8
- package/dist/external-tools/skillspector/from-dlx.d.ts +1 -1
- package/dist/external-tools/skillspector/from-dlx.js +10 -3
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +20 -5
- package/dist/external-tools/skillspector/resolve.js +27 -6
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/asset-names.d.ts +1 -1
- package/dist/external-tools/synp/asset-names.js +6 -2
- package/dist/external-tools/synp/from-download.d.ts +1 -1
- package/dist/external-tools/synp/from-download.js +5 -2
- package/dist/external-tools/synp/resolve.d.ts +3 -3
- package/dist/external-tools/synp/resolve.js +16 -8
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/asset-names.js +5 -2
- package/dist/external-tools/trivy/from-download.d.ts +1 -1
- package/dist/external-tools/trivy/from-download.js +7 -4
- package/dist/external-tools/trivy/resolve.d.ts +3 -3
- package/dist/external-tools/trivy/resolve.js +16 -8
- package/dist/external-tools/trufflehog/asset-names.d.ts +1 -1
- package/dist/external-tools/trufflehog/asset-names.js +5 -2
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/from-download.js +7 -4
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -3
- package/dist/external-tools/trufflehog/resolve.js +16 -8
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +25 -0
- package/dist/external-tools/uv/resolve.js +61 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +53 -0
- package/dist/fleet/repo-config.js +79 -0
- package/dist/fs/allowed-dirs-cache.d.ts +27 -1
- package/dist/fs/allowed-dirs-cache.js +39 -6
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -1
- package/dist/fs/read-json-cache.d.ts +7 -0
- package/dist/fs/resolve-module.js +6 -2
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +3 -3
- package/dist/git/repo.js +2 -4
- package/dist/git/staged.js +8 -0
- package/dist/git/tracked.d.ts +84 -0
- package/dist/git/tracked.js +163 -0
- package/dist/git/unstaged.js +8 -0
- package/dist/github/refs-graphql.js +4 -0
- package/dist/github/refs-rest.js +4 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/globs/match.js +9 -1
- package/dist/globs/matcher.js +5 -1
- package/dist/http-request/browser.js +7 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts} +2 -2
- package/dist/http-request/{browser-fetch.js → fetch/browser.js} +4 -4
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +2 -2
- package/dist/http-request/user-agent.js +1 -1
- package/dist/integrity.d.ts +124 -71
- package/dist/integrity.js +168 -78
- package/dist/json/edit.js +38 -30
- package/dist/json/format.js +1 -1
- package/dist/logger/colors.d.ts +1 -2
- package/dist/logger/colors.js +2 -2
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.d.ts +1 -1
- package/dist/native-messaging/install.js +7 -4
- package/dist/native-messaging/rate-limit.d.ts +7 -0
- package/dist/native-messaging/rate-limit.js +4 -0
- package/dist/node/async-hooks.js +1 -1
- package/dist/node/child-process.js +1 -1
- package/dist/node/crypto.js +1 -1
- package/dist/node/events.js +1 -1
- package/dist/node/fs-promises.js +1 -1
- package/dist/node/fs.d.ts +22 -6
- package/dist/node/fs.js +16 -3
- package/dist/node/http.js +1 -1
- package/dist/node/https.js +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/os.d.ts +10 -2
- package/dist/node/os.js +11 -4
- package/dist/node/path.d.ts +11 -2
- package/dist/node/path.js +17 -4
- package/dist/node/timers-promises.js +1 -1
- package/dist/node/url.js +1 -1
- package/dist/node/util.js +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/mutate.js +2 -2
- package/dist/packages/edit-class.d.ts +2 -3
- package/dist/packages/edit-class.js +41 -35
- package/dist/packages/exports.js +4 -4
- package/dist/packages/fetch.js +1 -1
- package/dist/packages/isolation.js +2 -2
- package/dist/packages/licenses.js +2 -2
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +40 -4
- package/dist/packages/normalize.js +2 -2
- package/dist/packages/provenance.js +3 -3
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +4 -2
- package/dist/packages/types.d.ts +1 -2
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/dirnames.d.ts +1 -0
- package/dist/paths/dirnames.js +2 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +14 -19
- package/dist/paths/rewire.d.ts +5 -0
- package/dist/paths/socket.d.ts +137 -123
- package/dist/paths/socket.js +172 -131
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +1 -1
- package/dist/primordials/process.d.ts +88 -0
- package/dist/primordials/process.js +132 -0
- package/dist/primordials/uncurry.d.ts +1 -2
- package/dist/process/spawn/child.js +8 -2
- package/dist/process/spawn/errors.js +1 -1
- package/dist/releases/github-archives.js +1 -1
- package/dist/releases/github-listing.d.ts +1 -2
- package/dist/schema/types.d.ts +3 -4
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +25 -5
- package/dist/secrets/keychain.d.ts +1 -1
- package/dist/secrets/linux.js +32 -44
- package/dist/secrets/macos.d.ts +1 -2
- package/dist/secrets/macos.js +20 -29
- package/dist/secrets/rc.d.ts +2 -2
- package/dist/secrets/rc.js +21 -13
- package/dist/secrets/socket-api-token.js +8 -0
- package/dist/secrets/windows.js +27 -33
- package/dist/shell/parse.d.ts +32 -0
- package/dist/shell/parse.js +60 -0
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.js +1 -1
- package/dist/smol/https.js +1 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +1 -2
- package/dist/sorts/_internal.js +2 -6
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +2 -2
- package/dist/spinner/spinner-internals.d.ts +1 -1
- package/dist/spinner/spinner-internals.js +9 -5
- package/dist/spinner/spinner.d.ts +4 -0
- package/dist/spinner/spinner.js +1 -1
- package/dist/stdio/progress.js +6 -2
- package/dist/stdio/prompts.d.ts +2 -10
- package/dist/stdio/prompts.js +11 -24
- package/dist/strings/format.js +1 -1
- package/dist/strings/search.js +1 -1
- package/dist/temporal/instant.js +2 -2
- package/dist/themes/context.d.ts +5 -3
- package/dist/themes/context.js +5 -6
- package/dist/url/assert-safe.d.ts +29 -0
- package/dist/url/assert-safe.js +54 -0
- package/dist/url/predicates.d.ts +31 -1
- package/dist/url/predicates.js +42 -1
- package/dist/url/types.d.ts +4 -0
- package/llms.txt +750 -0
- package/package.json +253 -125
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
|
|
5
|
+
//#region src/primordials/process.ts
|
|
6
|
+
/**
|
|
7
|
+
* @file Safe call-through accessors for the `process` global's methods and
|
|
8
|
+
* value reads. The `process` object reference is captured once at module load
|
|
9
|
+
* (immune to a later `globalThis.process = …` reassignment), but each method
|
|
10
|
+
* is CALLED at access time off that captured object — so `vi.spyOn(process,
|
|
11
|
+
* 'cwd')`, which mutates the same captured object, still intercepts. Binding
|
|
12
|
+
* the method reference instead (`process.cwd.bind(process)`) would freeze it
|
|
13
|
+
* and break that test seam, so we deliberately keep the late call. Consumers
|
|
14
|
+
* read cwd / platform / env / argv through these instead of touching
|
|
15
|
+
* `process` directly; enforced fleet-wide by
|
|
16
|
+
* `socket/prefer-process-primordial`. This is the `process` leaf of the
|
|
17
|
+
* node-module primordials: where `node/fs` / `node/path` lazy-load a `node:`
|
|
18
|
+
* module behind a function, this captures the always-present `process` global
|
|
19
|
+
* and routes its hot reads through one tamper-resistant surface.
|
|
20
|
+
*/
|
|
21
|
+
const SafeProcess = process;
|
|
22
|
+
/**
|
|
23
|
+
* The CPU architecture token (`'x64'` / `'arm64'` / …).
|
|
24
|
+
*/
|
|
25
|
+
function processArch() {
|
|
26
|
+
return SafeProcess.arch;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* The argv array (`[execPath, scriptPath, ...args]`).
|
|
30
|
+
*
|
|
31
|
+
* @example
|
|
32
|
+
* ;```typescript
|
|
33
|
+
* const entry = processArgv()[1]
|
|
34
|
+
* ```
|
|
35
|
+
*/
|
|
36
|
+
function processArgv() {
|
|
37
|
+
return SafeProcess.argv;
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* The current working directory. Call-through to the captured process's `cwd` —
|
|
41
|
+
* late-bound so test spies still intercept.
|
|
42
|
+
*
|
|
43
|
+
* @example
|
|
44
|
+
* ;```typescript
|
|
45
|
+
* const dir = processCwd()
|
|
46
|
+
* ```
|
|
47
|
+
*/
|
|
48
|
+
function processCwd() {
|
|
49
|
+
return SafeProcess.cwd();
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Emit a process warning. Call-through so a test spy on `process.emitWarning`
|
|
53
|
+
* still intercepts.
|
|
54
|
+
*/
|
|
55
|
+
function processEmitWarning(...args) {
|
|
56
|
+
SafeProcess.emitWarning(...args);
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* The process environment object. Returns the live `process.env` off the
|
|
60
|
+
* captured process (call-through, so a test that swaps `process.env` is seen).
|
|
61
|
+
*
|
|
62
|
+
* @example
|
|
63
|
+
* ;```typescript
|
|
64
|
+
* const token = processEnv()['SOCKET_API_TOKEN']
|
|
65
|
+
* ```
|
|
66
|
+
*/
|
|
67
|
+
function processEnv() {
|
|
68
|
+
return SafeProcess.env;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* The absolute path to the Node executable (`process.execPath`).
|
|
72
|
+
*/
|
|
73
|
+
function processExecPath() {
|
|
74
|
+
return SafeProcess.execPath;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Schedule a callback on the next tick. Call-through (late-bound).
|
|
78
|
+
*/
|
|
79
|
+
function processNextTick(...args) {
|
|
80
|
+
SafeProcess.nextTick(...args);
|
|
81
|
+
}
|
|
82
|
+
/**
|
|
83
|
+
* The process id.
|
|
84
|
+
*/
|
|
85
|
+
function processPid() {
|
|
86
|
+
return SafeProcess.pid;
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* The OS platform token (`'darwin'` / `'linux'` / `'win32'` / …).
|
|
90
|
+
*
|
|
91
|
+
* @example
|
|
92
|
+
* ;```typescript
|
|
93
|
+
* if (processPlatform() === 'win32') { … }
|
|
94
|
+
* ```
|
|
95
|
+
*/
|
|
96
|
+
function processPlatform() {
|
|
97
|
+
return SafeProcess.platform;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* The standard error stream. Returned off the captured process so a test that
|
|
101
|
+
* spies on `process.stderr.write` still intercepts.
|
|
102
|
+
*/
|
|
103
|
+
function processStderr() {
|
|
104
|
+
return SafeProcess.stderr;
|
|
105
|
+
}
|
|
106
|
+
/**
|
|
107
|
+
* The standard output stream. Returned off the captured process so a test that
|
|
108
|
+
* spies on `process.stdout.write` still intercepts.
|
|
109
|
+
*/
|
|
110
|
+
function processStdout() {
|
|
111
|
+
return SafeProcess.stdout;
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* The Node version string (`process.version`, e.g. `'v26.2.0'`).
|
|
115
|
+
*/
|
|
116
|
+
function processVersion() {
|
|
117
|
+
return SafeProcess.version;
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
//#endregion
|
|
121
|
+
exports.processArch = processArch;
|
|
122
|
+
exports.processArgv = processArgv;
|
|
123
|
+
exports.processCwd = processCwd;
|
|
124
|
+
exports.processEmitWarning = processEmitWarning;
|
|
125
|
+
exports.processEnv = processEnv;
|
|
126
|
+
exports.processExecPath = processExecPath;
|
|
127
|
+
exports.processNextTick = processNextTick;
|
|
128
|
+
exports.processPid = processPid;
|
|
129
|
+
exports.processPlatform = processPlatform;
|
|
130
|
+
exports.processStderr = processStderr;
|
|
131
|
+
exports.processStdout = processStdout;
|
|
132
|
+
exports.processVersion = processVersion;
|
|
@@ -12,7 +12,6 @@
|
|
|
12
12
|
export declare const uncurryThis: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, ...args: A) => R;
|
|
13
13
|
export declare const applyBind: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R;
|
|
14
14
|
export declare const applySafe: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R | undefined;
|
|
15
|
-
type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
|
|
15
|
+
export type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
|
|
16
16
|
export declare const bindCall: BindCall;
|
|
17
17
|
export declare const weakRefSafe: <T extends object | symbol>(target: T) => WeakRef<T> | undefined;
|
|
18
|
-
export {};
|
|
@@ -72,7 +72,10 @@ function spawn(cmd, args, options, extra) {
|
|
|
72
72
|
/* c8 ignore start - Windows-only cmd.exe extension stripping for
|
|
73
73
|
.cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
|
|
74
74
|
if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
|
|
75
|
-
if (!require_paths_predicates.isPath(actualCmd))
|
|
75
|
+
if (!require_paths_predicates.isPath(actualCmd)) {
|
|
76
|
+
const path = require_node_path.getNodePath();
|
|
77
|
+
actualCmd = path.basename(actualCmd, path.extname(actualCmd));
|
|
78
|
+
}
|
|
76
79
|
}
|
|
77
80
|
const shouldStopSpinner = !!spinnerInstance?.isSpinning && !require_process_spawn_stdio.isStdioType(stdio, "ignore") && !require_process_spawn_stdio.isStdioType(stdio, "pipe");
|
|
78
81
|
const shouldRestartSpinner = shouldStopSpinner;
|
|
@@ -150,7 +153,10 @@ function spawnSync(cmd, args, options) {
|
|
|
150
153
|
/* c8 ignore start - Windows-only cmd.exe extension stripping for
|
|
151
154
|
.cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
|
|
152
155
|
if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
|
|
153
|
-
if (!require_paths_predicates.isPath(actualCmd))
|
|
156
|
+
if (!require_paths_predicates.isPath(actualCmd)) {
|
|
157
|
+
const path = require_node_path.getNodePath();
|
|
158
|
+
actualCmd = path.basename(actualCmd, path.extname(actualCmd));
|
|
159
|
+
}
|
|
154
160
|
}
|
|
155
161
|
/* c8 ignore stop */
|
|
156
162
|
const { stripAnsi: shouldStripAnsi = true, ...rawSpawnOptions } = {
|
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../../primordials/error.js');
|
|
5
5
|
const require_primordials_object = require('../../primordials/object.js');
|
|
6
|
-
const require_primordials_reflect = require('../../primordials/reflect.js');
|
|
7
6
|
const require_objects_predicates = require('../../objects/predicates.js');
|
|
7
|
+
const require_primordials_reflect = require('../../primordials/reflect.js');
|
|
8
8
|
const require_process_spawn__internal = require('./_internal.js');
|
|
9
9
|
let src_external_pony_cause = require("../../external/pony-cause");
|
|
10
10
|
|
|
@@ -4,8 +4,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
5
|
const require_node_path = require('../node/path.js');
|
|
6
6
|
const require_logger_default = require('../logger/default.js');
|
|
7
|
-
const require_archives_detect = require('../archives/detect.js');
|
|
8
7
|
const require_fs_safe = require('../fs/safe.js');
|
|
8
|
+
const require_archives_detect = require('../archives/detect.js');
|
|
9
9
|
const require_archives_extract = require('../archives/extract.js');
|
|
10
10
|
const require_releases_github_downloads = require('./github-downloads.js');
|
|
11
11
|
|
|
@@ -17,7 +17,7 @@ import type { AssetPattern, RepoConfig } from './github-types';
|
|
|
17
17
|
* output to this shape so downstream code is unaware of which transport
|
|
18
18
|
* produced the data.
|
|
19
19
|
*/
|
|
20
|
-
interface ReleaseRow {
|
|
20
|
+
export interface ReleaseRow {
|
|
21
21
|
tag_name: string;
|
|
22
22
|
published_at: string;
|
|
23
23
|
assets: Array<{
|
|
@@ -111,4 +111,3 @@ export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoCon
|
|
|
111
111
|
* non-string/Buffer bodies; parse the rest. Throws on genuine parse failure.
|
|
112
112
|
*/
|
|
113
113
|
export declare function parseResponseBody(body: unknown): unknown;
|
|
114
|
-
export {};
|
package/dist/schema/types.d.ts
CHANGED
|
@@ -62,7 +62,7 @@ export interface Schema<T = unknown> {
|
|
|
62
62
|
*
|
|
63
63
|
* @internal
|
|
64
64
|
*/
|
|
65
|
-
interface ZodV4LikeSchema<O = unknown> {
|
|
65
|
+
export interface ZodV4LikeSchema<O = unknown> {
|
|
66
66
|
_zod: {
|
|
67
67
|
output: O;
|
|
68
68
|
};
|
|
@@ -74,7 +74,7 @@ interface ZodV4LikeSchema<O = unknown> {
|
|
|
74
74
|
*
|
|
75
75
|
* @internal
|
|
76
76
|
*/
|
|
77
|
-
interface ZodV3LikeSchema<O = unknown> {
|
|
77
|
+
export interface ZodV3LikeSchema<O = unknown> {
|
|
78
78
|
_output: O;
|
|
79
79
|
safeParse(data: unknown): unknown;
|
|
80
80
|
}
|
|
@@ -85,7 +85,7 @@ interface ZodV3LikeSchema<O = unknown> {
|
|
|
85
85
|
*
|
|
86
86
|
* @internal
|
|
87
87
|
*/
|
|
88
|
-
interface TypeBoxLikeSchema {
|
|
88
|
+
export interface TypeBoxLikeSchema {
|
|
89
89
|
static: unknown;
|
|
90
90
|
}
|
|
91
91
|
/**
|
|
@@ -130,4 +130,3 @@ export type ValidateResult<T> = {
|
|
|
130
130
|
ok: false;
|
|
131
131
|
errors: ValidationIssue[];
|
|
132
132
|
};
|
|
133
|
-
export {};
|
package/dist/schema/validate.js
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
+
const require_primordials_object = require('../primordials/object.js');
|
|
5
6
|
const require_primordials_number = require('../primordials/number.js');
|
|
6
7
|
const require_primordials_array = require('../primordials/array.js');
|
|
7
|
-
const require_primordials_object = require('../primordials/object.js');
|
|
8
8
|
|
|
9
9
|
//#region src/schema/validate.ts
|
|
10
10
|
/**
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Proteus broker client. Asks the running proteus credential daemon for a
|
|
3
|
+
* secret over its local Unix socket (Windows named pipe later), so a
|
|
4
|
+
* biometric-gated read happens inside the daemon and the value is vended to
|
|
5
|
+
* this process in memory rather than sitting in an env var. This is the layer
|
|
6
|
+
* `ai/credentials.mts` documents as slotting between the env check and the
|
|
7
|
+
* keychain read in `secrets/find.ts` `resolve()`.
|
|
8
|
+
* The broker is OPTIONAL and self-gating: when the daemon isn't running (no
|
|
9
|
+
* socket file), `requestFromBroker` returns `undefined` immediately and the
|
|
10
|
+
* caller falls through to the keychain. It never throws — a broker miss is a
|
|
11
|
+
* fall-through, not an error. The daemon binary itself is built by socket-btm
|
|
12
|
+
* (`packages/proteus-builder`); download-and-start is a later layer, so today
|
|
13
|
+
* this only talks to an already-running daemon.
|
|
14
|
+
*/
|
|
15
|
+
export interface BrokerRequestOptions {
|
|
16
|
+
/**
|
|
17
|
+
* The keychain service scope (e.g. `socketsecurity`).
|
|
18
|
+
*/
|
|
19
|
+
readonly service: string;
|
|
20
|
+
/**
|
|
21
|
+
* The account within the service (e.g. `ANTHROPIC_API_KEY`).
|
|
22
|
+
*/
|
|
23
|
+
readonly account: string;
|
|
24
|
+
}
|
|
25
|
+
export interface BrokerResponse {
|
|
26
|
+
readonly ok?: boolean | undefined;
|
|
27
|
+
readonly value?: string | undefined;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Ask the proteus daemon for a credential. Returns the value on success, or
|
|
31
|
+
* `undefined` when the daemon isn't running, doesn't hold it, or the biometric
|
|
32
|
+
* prompt was declined. Never throws: a miss falls through to the next resolver
|
|
33
|
+
* layer (the keychain).
|
|
34
|
+
*/
|
|
35
|
+
export declare function requestFromBroker({ account, service, }: BrokerRequestOptions): Promise<string | undefined>;
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
|
+
const require_paths_socket = require('../paths/socket.js');
|
|
6
|
+
let node_fs = require("node:fs");
|
|
7
|
+
let node_net = require("node:net");
|
|
8
|
+
node_net = require_runtime.__toESM(node_net);
|
|
9
|
+
|
|
10
|
+
//#region src/secrets/broker.ts
|
|
11
|
+
/**
|
|
12
|
+
* @file Proteus broker client. Asks the running proteus credential daemon for a
|
|
13
|
+
* secret over its local Unix socket (Windows named pipe later), so a
|
|
14
|
+
* biometric-gated read happens inside the daemon and the value is vended to
|
|
15
|
+
* this process in memory rather than sitting in an env var. This is the layer
|
|
16
|
+
* `ai/credentials.mts` documents as slotting between the env check and the
|
|
17
|
+
* keychain read in `secrets/find.ts` `resolve()`.
|
|
18
|
+
* The broker is OPTIONAL and self-gating: when the daemon isn't running (no
|
|
19
|
+
* socket file), `requestFromBroker` returns `undefined` immediately and the
|
|
20
|
+
* caller falls through to the keychain. It never throws — a broker miss is a
|
|
21
|
+
* fall-through, not an error. The daemon binary itself is built by socket-btm
|
|
22
|
+
* (`packages/proteus-builder`); download-and-start is a later layer, so today
|
|
23
|
+
* this only talks to an already-running daemon.
|
|
24
|
+
*/
|
|
25
|
+
const PROTEUS_SOCKET_NAME = "proteus";
|
|
26
|
+
const BROKER_TIMEOUT_MS = 1e3;
|
|
27
|
+
/**
|
|
28
|
+
* Ask the proteus daemon for a credential. Returns the value on success, or
|
|
29
|
+
* `undefined` when the daemon isn't running, doesn't hold it, or the biometric
|
|
30
|
+
* prompt was declined. Never throws: a miss falls through to the next resolver
|
|
31
|
+
* layer (the keychain).
|
|
32
|
+
*/
|
|
33
|
+
async function requestFromBroker({ account, service }) {
|
|
34
|
+
const socketPath = require_paths_socket.getRuntimeSocketPath(PROTEUS_SOCKET_NAME);
|
|
35
|
+
if (!(0, node_fs.existsSync)(socketPath)) return;
|
|
36
|
+
return await new Promise((resolvePromise) => {
|
|
37
|
+
const conn = node_net.default.connect(socketPath);
|
|
38
|
+
let buffer = "";
|
|
39
|
+
let settled = false;
|
|
40
|
+
function settle(value) {
|
|
41
|
+
if (settled) return;
|
|
42
|
+
settled = true;
|
|
43
|
+
conn.destroy();
|
|
44
|
+
resolvePromise(value);
|
|
45
|
+
}
|
|
46
|
+
conn.setTimeout(BROKER_TIMEOUT_MS);
|
|
47
|
+
conn.on("timeout", () => settle(void 0));
|
|
48
|
+
conn.on("error", () => settle(void 0));
|
|
49
|
+
conn.on("connect", () => {
|
|
50
|
+
const payload = JSON.stringify({
|
|
51
|
+
account,
|
|
52
|
+
op: "get",
|
|
53
|
+
service
|
|
54
|
+
});
|
|
55
|
+
conn.write(`${payload}\n`);
|
|
56
|
+
});
|
|
57
|
+
conn.on("data", (chunk) => {
|
|
58
|
+
buffer += String(chunk);
|
|
59
|
+
const newlineAt = buffer.indexOf("\n");
|
|
60
|
+
if (newlineAt === -1) return;
|
|
61
|
+
try {
|
|
62
|
+
const parsed = JSON.parse(buffer.slice(0, newlineAt));
|
|
63
|
+
settle(parsed.ok && typeof parsed.value === "string" ? parsed.value : void 0);
|
|
64
|
+
} catch {
|
|
65
|
+
settle(void 0);
|
|
66
|
+
}
|
|
67
|
+
});
|
|
68
|
+
});
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
//#endregion
|
|
72
|
+
exports.requestFromBroker = requestFromBroker;
|
package/dist/secrets/find.d.ts
CHANGED
|
@@ -51,10 +51,11 @@ export interface ResolveResult {
|
|
|
51
51
|
value: string;
|
|
52
52
|
/**
|
|
53
53
|
* Where the value came from: 'env' — `process.env[<account>]` had a non-empty
|
|
54
|
-
* value. '
|
|
55
|
-
*
|
|
54
|
+
* value. 'broker' — the proteus daemon vended it after a biometric unlock.
|
|
55
|
+
* 'keychain' — env-var was empty and no broker was running; the value was
|
|
56
|
+
* read from the OS credential store under the matching account.
|
|
56
57
|
*/
|
|
57
|
-
source: 'env' | 'keychain';
|
|
58
|
+
source: 'broker' | 'env' | 'keychain';
|
|
58
59
|
/**
|
|
59
60
|
* Which account in `accounts` was the actual hit.
|
|
60
61
|
*/
|
|
@@ -71,9 +72,10 @@ export declare function readEnv(name: string): string | undefined;
|
|
|
71
72
|
* `undefined` when neither source has the value — the caller's signal to prompt
|
|
72
73
|
* the user or surface a setup hint.
|
|
73
74
|
*/
|
|
74
|
-
export declare function resolve(
|
|
75
|
+
export declare function resolve(options: ResolveOptions): Promise<ResolveResult | undefined>;
|
|
75
76
|
/**
|
|
76
77
|
* Sync variant for non-async callers (hook initializers, schema validators that
|
|
77
|
-
* run before any `await` machinery exists).
|
|
78
|
+
* run before any `await` machinery exists). Has no proteus broker tier — the
|
|
79
|
+
* broker socket round-trip is async — so this path is env → keychain only.
|
|
78
80
|
*/
|
|
79
|
-
export declare function resolveSync(
|
|
81
|
+
export declare function resolveSync(options: ResolveOptions): ResolveResult | undefined;
|
package/dist/secrets/find.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_secrets_broker = require('./broker.js');
|
|
4
5
|
const require_secrets_keychain = require('./keychain.js');
|
|
5
6
|
|
|
6
7
|
//#region src/secrets/find.ts
|
|
@@ -42,8 +43,11 @@ function readEnv(name) {
|
|
|
42
43
|
* `undefined` when neither source has the value — the caller's signal to prompt
|
|
43
44
|
* the user or surface a setup hint.
|
|
44
45
|
*/
|
|
45
|
-
async function resolve(
|
|
46
|
-
const { accounts, allowEnvOnly, service } =
|
|
46
|
+
async function resolve(options) {
|
|
47
|
+
const { accounts, allowEnvOnly, service } = {
|
|
48
|
+
__proto__: null,
|
|
49
|
+
...options
|
|
50
|
+
};
|
|
47
51
|
for (let i = 0, { length } = accounts; i < length; i += 1) {
|
|
48
52
|
const account = accounts[i];
|
|
49
53
|
const fromEnv = readEnv(account);
|
|
@@ -54,6 +58,18 @@ async function resolve(opts) {
|
|
|
54
58
|
};
|
|
55
59
|
}
|
|
56
60
|
if (allowEnvOnly) return;
|
|
61
|
+
for (let i = 0, { length } = accounts; i < length; i += 1) {
|
|
62
|
+
const account = accounts[i];
|
|
63
|
+
const fromBroker = await require_secrets_broker.requestFromBroker({
|
|
64
|
+
account,
|
|
65
|
+
service
|
|
66
|
+
});
|
|
67
|
+
if (fromBroker) return {
|
|
68
|
+
value: fromBroker,
|
|
69
|
+
source: "broker",
|
|
70
|
+
account
|
|
71
|
+
};
|
|
72
|
+
}
|
|
57
73
|
for (let i = 0, { length } = accounts; i < length; i += 1) {
|
|
58
74
|
const account = accounts[i];
|
|
59
75
|
const fromKeychain = await require_secrets_keychain.readSecret({
|
|
@@ -69,10 +85,14 @@ async function resolve(opts) {
|
|
|
69
85
|
}
|
|
70
86
|
/**
|
|
71
87
|
* Sync variant for non-async callers (hook initializers, schema validators that
|
|
72
|
-
* run before any `await` machinery exists).
|
|
88
|
+
* run before any `await` machinery exists). Has no proteus broker tier — the
|
|
89
|
+
* broker socket round-trip is async — so this path is env → keychain only.
|
|
73
90
|
*/
|
|
74
|
-
function resolveSync(
|
|
75
|
-
const { accounts, allowEnvOnly, service } =
|
|
91
|
+
function resolveSync(options) {
|
|
92
|
+
const { accounts, allowEnvOnly, service } = {
|
|
93
|
+
__proto__: null,
|
|
94
|
+
...options
|
|
95
|
+
};
|
|
76
96
|
for (let i = 0, { length } = accounts; i < length; i += 1) {
|
|
77
97
|
const account = accounts[i];
|
|
78
98
|
const fromEnv = readEnv(account);
|
|
@@ -46,7 +46,7 @@ export declare function deleteSecretFromSlotsSync({ service, accounts, }: Delete
|
|
|
46
46
|
export declare function deleteSecretSync({ service, account, }: DeleteOptions): 'removed' | 'absent';
|
|
47
47
|
export type { BackendAvailability, SecretDeleteResult, SecretWriteResult, } from './types';
|
|
48
48
|
export type { SecretSlot } from './types';
|
|
49
|
-
type Platform = 'darwin' | 'linux' | 'win32' | 'other';
|
|
49
|
+
export type Platform = 'darwin' | 'linux' | 'win32' | 'other';
|
|
50
50
|
/**
|
|
51
51
|
* Resolve the current OS to one of our four backend categories.
|
|
52
52
|
*
|
package/dist/secrets/linux.js
CHANGED
|
@@ -46,32 +46,25 @@ function isLinuxBackendAvailable() {
|
|
|
46
46
|
return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
|
|
47
47
|
}
|
|
48
48
|
async function readLinux(service, account) {
|
|
49
|
-
|
|
50
|
-
const
|
|
49
|
+
try {
|
|
50
|
+
const r = await (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
|
|
51
51
|
"lookup",
|
|
52
52
|
"service",
|
|
53
53
|
service,
|
|
54
54
|
"user",
|
|
55
55
|
account
|
|
56
|
-
], {
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
cp.stdout.on("data", (chunk) => {
|
|
64
|
-
stdout += chunk;
|
|
65
|
-
});
|
|
66
|
-
cp.on("error", () => resolve(void 0));
|
|
67
|
-
cp.on("close", (status) => {
|
|
68
|
-
if (status !== 0) {
|
|
69
|
-
resolve(void 0);
|
|
70
|
-
return;
|
|
71
|
-
}
|
|
72
|
-
resolve(stdout.trim() || void 0);
|
|
56
|
+
], {
|
|
57
|
+
stdio: [
|
|
58
|
+
"ignore",
|
|
59
|
+
"pipe",
|
|
60
|
+
"pipe"
|
|
61
|
+
],
|
|
62
|
+
stdioString: true
|
|
73
63
|
});
|
|
74
|
-
|
|
64
|
+
return String(r.stdout ?? "").trim() || void 0;
|
|
65
|
+
} catch {
|
|
66
|
+
return;
|
|
67
|
+
}
|
|
75
68
|
}
|
|
76
69
|
function readLinuxSync(service, account) {
|
|
77
70
|
const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
|
|
@@ -92,34 +85,29 @@ function readLinuxSync(service, account) {
|
|
|
92
85
|
return r.stdout.trim() || void 0;
|
|
93
86
|
}
|
|
94
87
|
async function writeLinux(service, account, value, label) {
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
88
|
+
const hint = "Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.";
|
|
89
|
+
const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
|
|
90
|
+
"store",
|
|
91
|
+
`--label=${label}`,
|
|
92
|
+
"service",
|
|
93
|
+
service,
|
|
94
|
+
"user",
|
|
95
|
+
account
|
|
96
|
+
], {
|
|
97
|
+
stdio: [
|
|
104
98
|
"pipe",
|
|
105
99
|
"pipe",
|
|
106
100
|
"pipe"
|
|
107
|
-
]
|
|
108
|
-
|
|
109
|
-
cp.stderr.setEncoding("utf8");
|
|
110
|
-
cp.stderr.on("data", (chunk) => {
|
|
111
|
-
stderr += chunk;
|
|
112
|
-
});
|
|
113
|
-
cp.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
|
|
114
|
-
cp.on("close", (status) => {
|
|
115
|
-
if (status === 0) {
|
|
116
|
-
resolve();
|
|
117
|
-
return;
|
|
118
|
-
}
|
|
119
|
-
reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
|
|
120
|
-
});
|
|
121
|
-
cp.stdin.end(value);
|
|
101
|
+
],
|
|
102
|
+
stdioString: true
|
|
122
103
|
});
|
|
104
|
+
child.process.stdin.end(value);
|
|
105
|
+
try {
|
|
106
|
+
await child;
|
|
107
|
+
} catch (e) {
|
|
108
|
+
const err = e;
|
|
109
|
+
throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${typeof err?.code === "number" ? err.code : -1}, user=${account}): ${String(err?.stderr ?? err?.message ?? "").trim()}. ${hint}`);
|
|
110
|
+
}
|
|
123
111
|
}
|
|
124
112
|
function writeLinuxSync(service, account, value, label) {
|
|
125
113
|
const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
|
package/dist/secrets/macos.d.ts
CHANGED
|
@@ -23,7 +23,7 @@ export declare function deleteMacOSSync(service: string, account: string): 'remo
|
|
|
23
23
|
export declare function isMacOSBackendAvailable(): boolean;
|
|
24
24
|
export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
|
|
25
25
|
export declare function readMacOSSync(service: string, account: string): string | undefined;
|
|
26
|
-
interface SpawnOpts {
|
|
26
|
+
export interface SpawnOpts {
|
|
27
27
|
stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
|
|
28
28
|
}
|
|
29
29
|
export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
|
|
@@ -33,4 +33,3 @@ export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Pro
|
|
|
33
33
|
}>;
|
|
34
34
|
export declare function writeMacOS(service: string, account: string, value: string, label: string): Promise<void>;
|
|
35
35
|
export declare function writeMacOSSync(service: string, account: string, value: string, label: string): void;
|
|
36
|
-
export {};
|
package/dist/secrets/macos.js
CHANGED
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_primordials_promise = require('../primordials/promise.js');
|
|
6
5
|
let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
|
|
7
6
|
|
|
8
7
|
//#region src/secrets/macos.ts
|
|
@@ -79,38 +78,30 @@ function readMacOSSync(service, account) {
|
|
|
79
78
|
if (r.status !== 0) return;
|
|
80
79
|
return r.stdout.trim() || void 0;
|
|
81
80
|
}
|
|
82
|
-
function runAsync(args, opts = {}) {
|
|
83
|
-
|
|
84
|
-
|
|
81
|
+
async function runAsync(args, opts = {}) {
|
|
82
|
+
const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, {
|
|
83
|
+
stdio: opts.stdio ?? [
|
|
85
84
|
"ignore",
|
|
86
85
|
"pipe",
|
|
87
86
|
"pipe"
|
|
88
|
-
]
|
|
89
|
-
|
|
90
|
-
let stderr = "";
|
|
91
|
-
if (cp.stdout) {
|
|
92
|
-
cp.stdout.setEncoding("utf8");
|
|
93
|
-
cp.stdout.on("data", (chunk) => {
|
|
94
|
-
stdout += chunk;
|
|
95
|
-
});
|
|
96
|
-
}
|
|
97
|
-
if (cp.stderr) {
|
|
98
|
-
cp.stderr.setEncoding("utf8");
|
|
99
|
-
cp.stderr.on("data", (chunk) => {
|
|
100
|
-
stderr += chunk;
|
|
101
|
-
});
|
|
102
|
-
}
|
|
103
|
-
cp.on("error", () => resolve({
|
|
104
|
-
status: -1,
|
|
105
|
-
stdout,
|
|
106
|
-
stderr
|
|
107
|
-
}));
|
|
108
|
-
cp.on("close", (status) => resolve({
|
|
109
|
-
status,
|
|
110
|
-
stdout,
|
|
111
|
-
stderr
|
|
112
|
-
}));
|
|
87
|
+
],
|
|
88
|
+
stdioString: true
|
|
113
89
|
});
|
|
90
|
+
try {
|
|
91
|
+
const r = await child;
|
|
92
|
+
return {
|
|
93
|
+
status: typeof r.code === "number" ? r.code : null,
|
|
94
|
+
stderr: String(r.stderr ?? ""),
|
|
95
|
+
stdout: String(r.stdout ?? "")
|
|
96
|
+
};
|
|
97
|
+
} catch (e) {
|
|
98
|
+
const err = e;
|
|
99
|
+
return {
|
|
100
|
+
status: typeof err?.code === "number" ? err.code : -1,
|
|
101
|
+
stderr: String(err?.stderr ?? ""),
|
|
102
|
+
stdout: String(err?.stdout ?? "")
|
|
103
|
+
};
|
|
104
|
+
}
|
|
114
105
|
}
|
|
115
106
|
async function writeMacOS(service, account, value, label) {
|
|
116
107
|
const r = await runAsync([
|
package/dist/secrets/rc.d.ts
CHANGED
|
@@ -37,7 +37,7 @@
|
|
|
37
37
|
* non-interactive shells (Claude Code, IDE plugins, CI runners) skip .zshrc
|
|
38
38
|
* and would miss the export.
|
|
39
39
|
*/
|
|
40
|
-
export declare function buildBlock(
|
|
40
|
+
export declare function buildBlock(options: WriteOptions): {
|
|
41
41
|
begin: string;
|
|
42
42
|
end: string;
|
|
43
43
|
body: string;
|
|
@@ -126,7 +126,7 @@ export declare function shellSingleQuote(value: string): string;
|
|
|
126
126
|
* `shell` and `rcPath` override the auto-detected target — useful for chezmoi /
|
|
127
127
|
* dotfile-manager users or installers running under a non-default shell.
|
|
128
128
|
*/
|
|
129
|
-
export declare function write(
|
|
129
|
+
export declare function write(options: WriteOptions): WriteResult;
|
|
130
130
|
/**
|
|
131
131
|
* Internal: write an rc file with 0o600 (owner-only). The rc file embeds a
|
|
132
132
|
* literal SOCKET_API_KEY value so the shell rc can `export` it on session start
|